In order to defend against an attacker that holds the signing keys for
the app repository, there must be a trustworthy source of information to
compare against. Reproducible builds means that anyone with the same
source code will produce the exact same binary. When paired with an
auditing system, it is easy to catch malware inserted in the build
process, rather than the source code, like XCodeGhost. Reproducible
builds also makes it possible to have all builds of a release binary
have the exact same hash. Then any app repository can build apps only
from source code, and have a source of verification data from any other
app repository building the same app. Building software from source has
become cheap enough that many companies like gitlab.com and Travis CI
are offering free, automated build services in the cloud. Since the
whole F-Droid toolset is free software and designed to be easy to setup,
the barriers to setting up automatic auditing are quite low. People in
separate areas of the world with different risk profiles can run
verification servers to provide more
trustworthy information.

Initial Installs

Most users of F-Droid download the APK from f-droid.org and install
it. This is a potential vector of attack that built-in app stores do
not have. Therefore, many additional security precautions are taken
to make it as hard as possible to exploit this vector.

included on the
HSTS preload list, so
major browsers will only ever use HTTPS for all connections to
f-droid.org

website is fully functional when Javascript is disabled in the
browser, eliminating all possibility of XSS attacks

F-Droid as built-in app store

When F-Droid is built into Android, either as part of the ROM or by
flashing an
OTA update,
it no longer needs “Unknown Sources” enabled to function. This is the
preferred method of operation, so we aim to make it as easy as
possible for users to run F-Droid this way. Flashing the OTA package
for F-Droid
Privileged Extension
has the same or lower risk profile as installing the standard “gapps”
package that many people flash onto custom ROMs. So this delivery
method does not increase the risk profile of those users.

Protecting against malicious contributor-generated data

The app descriptions are submitted by all sorts of people, and they
can also be taken from the app’s source repository. This data is
ultimately delivered to the Android client or the user’s browser via
f-droid.org.